KR20200002985A - Data sharing methods, clients, servers, computing devices, and storage media - Google Patents

Abstract

The present application provides a data sharing method, comprising: encrypting plain text data according to a key to obtain encrypted data; Uploading the encrypted data to a block of an information sharing system, wherein the information sharing system is a blockchain system; Uploading the first portion of the key to an access authorization server corresponding to the information sharing system; Receiving an authorization code corresponding to the encrypted data from the access authorization server; And sending a second portion of the authorization code and the key to a second client of the user when the user is authorized to access the encrypted data, wherein the second portion of the key is the first portion. Include the rest of the key except for. The present application further provides corresponding clients, servers, computing devices and storage media.

Description

Data sharing methods, clients, servers, computing devices, and storage media

This application claims the priority of Chinese Patent Application No. 201711065783.1 ('Data Sharing Methods, Clients, Servers, Computing Devices and Storage Media') filed with the Chinese Patent Office on November 2, 2017, which is incorporated by reference in its entirety. Specification is included.

TECHNICAL FIELD This application relates to the field of computer technology, and more particularly, to a data sharing method, a client, a server, a computing device, and a storage medium.

With the development of Internet technology, some information sharing systems have made their debut in the field. You can upload data such as photos, documents, videos, and other files to an information sharing system and authorize other users to access the data through the information sharing system.

Thus, to ensure the security of the data, there is a need for an information sharing system that requires the following technical means, for example, to verify the information provided by the user when the user requests access to the file.

An embodiment of the present application provides a data sharing method performed by a first client, the method comprising: encrypting plain text data according to a key to obtain encrypted data; Uploading the encrypted data to a block of an information sharing system, wherein the information sharing system is a blockchain system; Uploading the first portion of the key to an access authorization server corresponding to the information sharing system; Receiving an authorization code corresponding to the encrypted data from the access authorization server; And sending the authorization code and the second portion of the key to a second client of the user when the user is authorized to access the encrypted data, wherein the second portion of the key is other than the first portion. The second client adds the authorization code and the second portion of the key to the access request, when sending a request for access to the encrypted data to the access authorization server; In case the access authorization server determines that the authorization code is valid, the access authorization server generates the key according to the first and second portions of the key and obtains the key in order to obtain the plain text data. Accordingly decrypts the encrypted data obtained from the block of the information sharing system, and wherein the second client It includes - a return to the encrypted data also.

An embodiment of the present application further provides a data providing method, comprising: receiving a first portion of a first key from a first client, wherein the first key corresponds to encrypted data uploaded to a block of an information sharing system, The encrypted data is obtained by encrypting plain text data according to the first key, wherein the information sharing system is a blockchain system; Generating a first authorization code corresponding to the encrypted data; When the first client authorizes a second client to access the encrypted data, the first client sends the second grant code and the second portion of the first key to the second client, thereby generating the first client. 2 sending the first grant code to the first client so that the client can add the first grant code and the second portion of the first key to an access request when the client accesses the encrypted data; The second portion of the first key includes the remaining portion of the first key except the first portion, and in response to receiving an access request from any client to the encrypted data; The data sharing method comprises: obtaining a second grant code and an incomplete key from the access request; Generating a second key according to the incomplete key and a first portion of the first key corresponding to the encrypted data when the second grant code is the same as the first grant code and the second grant code is valid Step, said generated second key being equal to said first key if said incomplete key is equal to a second portion of said first key; Obtaining the encrypted data from the block of the information sharing system; And decrypting the encrypted data according to the second key, wherein the plain text data is obtained through decryption and is sent to the client sending the access request if the second key is equal to the first key. It further includes.

An embodiment of the present application provides a first client, comprising: an encryption module configured to encrypt plain text data according to a key to obtain encrypted data; An uploading module configured to upload the encrypted data to a block of an information sharing system and to upload a first portion of the key to an access authorization server corresponding to the information sharing system, wherein the information sharing system is a blockchain system; An authorization configured to receive an authorization code corresponding to the encrypted data from the access authorization server and to send the authorization code and the second portion of the key to a second client when a user is authorized to access the encrypted data Module-The second portion of the key includes the remaining portion of the key except the first portion, and when the second client sends the request for access to the encrypted data to the access authorization server, the second client sends the authorization code. And add a second portion of the key to the access request, and if the access authorization server determines that the authorization code is valid, the access authorization server selects the key according to the first and second portions of the key. Generate and share the information according to the generated key to obtain the plain text data Comprises - decrypting the said encrypted data obtained from the block of the stem, and it returns the encrypted data to the second client.

An embodiment of the present application provides an access authorization server, receiving a first portion of a first key from a first client, the first key comprising encrypted data uploaded to a block of an information sharing system, wherein the encryption Encrypted data is obtained by encrypting the plain text data according to the first key, wherein the information sharing system is a blockchain system, generates a first authorization code corresponding to the encrypted data, and wherein a second client generates the encrypted When authorizing to access the data, the second client sends the first authorization code and the second portion of the first key to the second client so that the second client can access the encrypted data. Send the first client to the first client so that the first grant code and the second portion of the first key can be added to the access request. An authorization module configured to send an authorization code, wherein the second portion of the first key includes the remaining portion of the first key except the first portion; In response to receiving an access request from any client for the encrypted data, obtaining a second grant code and an incomplete key from the access request, wherein the second grant code is the same as the first grant code and the first grant code A verification module, configured to trigger the key module if the authorization code is valid; The key module configured to generate a second key according to the incomplete key and the first portion of the first key corresponding to the encrypted data, wherein the generated second key is the second key of the first key; Same as the first key if same as the portion; And a decryption module configured to obtain the encrypted data from the block of the information sharing system, and to decrypt the encrypted data according to the second key, wherein the plain text data is obtained through decryption and the second key is the first key. Sent to the client sending the access request if equal to a key.

Embodiments of the present application further provide a computing device, comprising one or more processors; Memory; And one or more programs stored in the memory and configured to be executed by the one or more processors, wherein the one or more programs include instructions for performing the method described above.

Embodiments of the present application further provide a storage medium for storing one or more programs comprising instructions and allowing the computing device to perform the methods described above when the instructions are executed by a computing device.

BRIEF DESCRIPTION OF DRAWINGS To describe the technical solutions in the embodiments of the present disclosure more clearly, the following briefly introduces the accompanying drawings required for describing the embodiments. Apparently, the accompanying drawings in the following description show only embodiments of the present disclosure, and a person of ordinary skill in the art may derive other drawings from these accompanying drawings without creative efforts.
BRIEF DESCRIPTION OF DRAWINGS To describe the technical solutions in the embodiments of the present disclosure more clearly, the accompanying drawings are provided for a further understanding of the present disclosure. The accompanying drawings in this specification show only some embodiments of the disclosure, and those skilled in the art can derive other embodiments from these accompanying drawings without creative efforts.
1 is a system architecture diagram according to an embodiment.
2 is a flowchart of a method according to an embodiment.
3 is a flowchart of another method according to an embodiment.
4 is a schematic diagram of message interaction according to an embodiment.
5 is a schematic diagram of a user interface according to an embodiment.
6 is a schematic diagram of a user interface according to an embodiment.
7 is a schematic structural diagram of a client according to an embodiment.
8 is a schematic structural diagram of a server according to an embodiment.
9 is a schematic structural diagram of a configuration of a computing device according to an embodiment.

For the sake of brevity and intuitiveness of explanation, the solutions of the present disclosure are illustrated herein by describing some representative embodiments. However, not all implementations are illustrated here. Numerous details in the embodiments are used only to aid understanding of the solutions of the present disclosure, and the technical solutions of the present disclosure may not be limited to these details during implementation. In order not to unnecessarily obscure the solutions of this disclosure, some implementations are not described in detail, but only frameworks are provided. In the following, the term "comprising" refers to "including but not limited to" and the term "according to" is "according at least, but limited to only according to ... It does not mean. " The term "include / comprise" in the specification and claims refers to inclusion at least to some extent and should be construed to include other features as well as features mentioned hereinafter.

Embodiments of the present disclosure provide a data sharing method. This method can be applied to the system architecture shown in FIG. As shown in FIG. 1, the system architecture may include a first client 101, a second client 102, an access authorization server 103, and an information sharing system 104. The entity can communicate via the Internet 105. The information sharing system 104 can be configured to store various data uploaded by the user, and the user can also access the data of the information sharing system 104. The actual network may include a large amount of clients, but is not limited to clients 101 and 102. The data uploaded to the information sharing system 104 may correspond to the first client 101, which may be a client used by the holder of the data and the user who uploaded the data, and may also be referred to as a sharer client. Such data may be accessed by one or more second clients 102. The second client 102 can be a client used by a user to access such data and can also be referred to as a visitor client or viewer client. The access authorization server 103 may be directly connected to the information sharing system 104 or may be connected to the information sharing system 104 via the Internet 105, and the access service or authorized view of the information sharing system 104 may be used. ) To provide a service. The second client 102 can obtain the desired data from the information sharing system 104 via the access authorization server 103. Specifically, the second client 102 may send an access request or view request for data to the access authorization server 103. The access authorization server 103 authenticates the access request by verifying that the user of the second client 102 has the right to access the data, for example by verifying the authorization code in the access request. If authentication succeeds, the encrypted data obtained from the information sharing system 104 may be decrypted according to the key information carried in the access request. If plain text data is successfully obtained after decoding, the plain text data may be returned to the second client 102.

Here, the first client 101 and the second client 102 may be various APP clients or browsers that can access the shared data. The first client 101 and the second client 102 may be executed in various terminal devices, and may include a PC, a mobile phone, a tablet computer, a palmtop computer, an ultrabook, a wearable device, and the like. Information sharing system 104 may be a variety of integrated or distributed data storage systems, and may include, but is not limited to, blockchain systems (or referred to as blockchain networks), database systems, network disk / cloud disk systems, and the like. It is not. Data stored in information sharing system 104 may include data generated in a number of service scenarios, including digital assets, authentication services, distributed ledgers, shared economies, and other scenarios.

Digital assets refer to non-monetary assets that are owned or controlled by companies that exist in the form of electronic data and can be sold as daily activities or used in production processes. The production of digital assets can benefit from office automation. Digital assets are developed based on electronic payment systems and can be used for scenarios such as shared credits, coupons, digital currencies, stock registrations and other scenarios. Certification services are used for business scenarios such as copyright / ownership projection, judicial document projection, charitable donations, and personal and corporate certificates. Shared ledgers are used for business scenarios such as cross-agency liquidation, bank acquisitions, cross-agency syndication loans, supply chain finance and cross-border remittances. Blockchain is a link data structure formed by sequentially connecting data blocks in chronological order, and is a distributed tamper proof and anti-counterfeiting ledger. Blockchain system is a brand new distributed basic architecture that uses link data structure to verify and store data, create and update data using distributed node consensus algorithm, and secure data transmission and access through encryption. Program and operate the data using smart contracts formed by automated script code.

In some business scenarios, data uploaded to the information sharing system 104 may need to be encrypted, and access to the data may need to be authenticated. In other words, some data may be conditionally shared, such data being referred to as the user's personal data, such as personal or agency's real name authentication information, financial account information, photo albums, original and shared authentication information. Can be. Some users may want to share this data without publishing content so that data can be shared among certain users. Thus, data can be stored encrypted in the information sharing system 104, so that a particular user can be authorized to view the data.

According to an embodiment, a data sharing method that can be performed by a terminal device of the first client 101 is provided. 1 shows only one first client 101, and in a practical application scenario, there may be multiple first clients 101. Each of the first clients 101 may implement the method described herein. Referring to FIG. 2, the method may include the following steps.

In operation 201, the first client 101 may encrypt the plain text data according to the key to obtain the encrypted data.

In step 202, the first client 101 may upload the encrypted data to a block of the information sharing system 104, wherein the information sharing system is a blockchain system.

Here, when the user wants to upload data, the first client 101 used by the user encrypts the data (ie, the plain text data) using a preset key, and then encrypts the encrypted data with the information sharing system 104. Upload to).

In step 203, the first client 101 may upload the first portion of the key to the access authorization server 103 corresponding to the information sharing system 104.

Here, the access authorization server 103 corresponding to the information sharing system 104 may refer to the access authorization server 103 connected to the information sharing system 104.

Here, the key may be a string, and the string used as the key may be divided into two strings used as the first part and the second part of the key, respectively. In this step, the first portion of the key can be uploaded to the access authorization server 103. In some embodiments, the first half of the key may be used as the first portion and the second half of the key may be used as the second portion. In some other embodiments, the latter half of the key may be used as the first portion and the first half of the key may be used as the second portion. The length of the first portion and the second portion may be the same or different. In some embodiments, during splitting of a key, a string having a predetermined length may be divided according to a preset string length value (ie, the preset number of characters included in the string) to serve as the first portion of the key, The rest of the string is then used as the second part of the key.

In step 204, the first client 101 may receive an authorization code corresponding to the encrypted data from the access authorization server 103.

In some embodiments, upon receiving the first portion of the key uploaded by the first client 101 for the encrypted data, the access authorization server 103 generates an authorization code for the encrypted data and then authorizes it. Return the code to the first client 101. Specifically, the access authorization server 103 may generate an authorization code according to a rule corresponding to the user uploading the data.

In step 205, the first client 101 can send the second portion of the authorization code and key to another client of the user, for example the second client 102, if the user is authorized to access the encrypted data. The second client 102 can add the second portion of the authorization code and key to the access request when sending an access request for encrypted data to the access authorization server 103, where the second portion of the key It includes the remaining part in the key except the first part.

In this way, the access authorization server 103 can generate a key according to the first and second portions of the key if the authorization code is determined to be valid, and block the information sharing system 104 in accordance with the generated key. Decrypts the encrypted data obtained from the A / D header and provides the plain text data obtained through the decryption to the second client 102.

In some embodiments, if the user wishes to view encrypted data, the user may request an authorization code from the first client 101 by the second client 103 used by the user. When determining to authorize the user to view data, the first client 101 can send the second portion of the authorization code and key to the second client 102.

In some embodiments, access authorization server 103 may combine the first portion and the second portion of the key to form a complete key. If the second portion of the key obtained by the access authorization server 103 from the second client 102 and the first portion of the key obtained from the first client 101 do not belong to the same key, then the two portions may not be the correct key. Cannot be combined to form. Therefore, when decryption fails, the second client 102 cannot obtain the plain text data. The access grant server 103 may return a failure response or encrypted data to the second client 10. As such, the second client 102 cannot successfully view the contents of the data. Thus, the security of the data uploaded by the first client 101 is effectively guaranteed.

By using the method provided in the above embodiment, the first client 101 holds a key and an authorization code. The access authorization server 103 holds the authorization code and the first portion of the key, and if authenticated, the second client 102 may retain the second portion of the key and the authorization code. In this way, when the second client 102 requests access to the corresponding data through the access authorization server 103, the access authorization server 103 first verifies that the authorization code is valid, and the authorization code is valid. In this case, the incomplete key (first part and second part of the key) obtained from the first client 101 and the second client 102 can be used to obtain the complete key. If the incomplete key provided by the second client 102 is not valid, the correct complete key cannot be obtained, and the encrypted data cannot be successfully decrypted, thereby ensuring the security of the data. In this embodiment, the second client 102 and the access authorization server 103 each hold a portion of the key, and none of them has the right to access the encrypted data. The complete key can be obtained only when the key information held by the second client 102 and the access authorization server 103 are combined, thereby ensuring data security and user privacy. In this manner, for encrypted data stored in the information sharing system 104, and if the user does not want to disclose, the first client 101 may access some second clients 102 via the access authorization server 103. Can authorize access to plain text of encrypted data, thereby achieving a balance between information sharing and privacy protection and providing a better information sharing mechanism.

The above embodiment can be applied to a data sharing scenario of the blockchain. The access authorization server 103 may provide an authenticated viewing service of personal data, which may be an optional service for data privacy protection provided for the blockchain in an information sharing system. The service can be applied to scenarios such as information sharing blockchain and digital asset blockchain to protect data that users do not want to disclose and allow some users to view the data through independent approval. Blockchain is based on the principle of sharing, so any user can freely view the data on the blockchain. Here, the user can freely view the data regardless of whether the user is authorized or not. However, only the data viewed through the access grant server 103 may be decoded plain text data. If the user views the data directly on the blockchain, the user cannot obtain the encrypted data and obtain the plain text data.

In some embodiments, referring back to step 204, the first client 101 can further generate an access token or data view token of the encrypted data after receiving the authorization code. The access token can include a second portion of the authorization code and the key. In step 205, sending the second portion of the authorization code and key to the second client 102 specifically includes access tokens to the second client so that the second client 102 can add the access token to the access request. And transmitting to 102. As such, the first client 101 can send the second portion of the authorization code and key to the second client 102. Here, the authorization code and key may be a string formed of numbers and / or letters. Similarly, the access token formed by the second portion of the authorization code and key may be a string formed by numbers and / or letters. In such an embodiment, the first client 101 may issue a token to the second client 102 to authorize the corresponding user to access the encrypted data uploaded by the first client 101. Can be. In addition, the issued token may not have a complete key. Further verification may be required to access the access authorization server 103 to obtain a complete key for decrypting the data, thus effectively ensuring data security.

In some embodiments, referring back to step 202, when encrypted data is uploaded to the information sharing system 104, the first client 101 may further upload the file identifier of the holder of the encrypted data, This is generally the identifier of the user currently using the first client 101 so that the information sharing system 104 can associate the encrypted data with the file identifier and the user identifier of the holder. Thus, the access authorization server 103 may obtain encrypted data from the information sharing system 104 according to the holder's file identifier and user identifier. Here, when encrypted data is uploaded, the holder's file identifier and user identifier can be uploaded to the information sharing system 104 at the same time. The information sharing system 104 may associate the encrypted data with the holder's file identifier and user identifier when storing the encrypted data. When the information sharing system 104 queries the encrypted data, the access authorization server 103 may add the holder's file identifier and user identifier to the query request. In this way, information sharing server 104 may determine encrypted data associated with the file identifier and user identifier of the holder and return the encrypted data to access authorization server 103.

In some embodiments, referring back to step 203, when the first portion of the key is uploaded to the access authorization server 104, the first client 101 further uploads the holder's file identifier and user identifier, The access authorization server 103 may generate an authorization code in accordance with a rule corresponding to the holder's user identifier, and associate the authorization code with the first portion of the key, the file identifier, and the holder's user identifier. Upon receiving the access request, the access authorization server 103 may determine the first portion of the associated authorization code and key (encrypted locally at the access authorization server 103) according to the holder's file identifier and user identifier carried in the access request. May be a first portion of an authorization code and a key corresponding to the acquired data) to determine whether the authorization code carried in the access request is valid according to the obtained authorization code, and The key may be generated according to the part and the second part carried in the access request.

In some embodiments, authorization code generation rules for various users may be preconfigured at the access authorization server 103. The rule may specify a data address to which access is allowed in correspondence with the generated authorization code, the expiration time of the generated authorization code, and the like. The data address may be a block height of a blockchain, a universal resource locator (URL) address, or the like. In some embodiments, in step 203, when the first client 101 uploads the first portion of the key, the access authorization server 104 may, according to the concurrently uploaded user identifier of the holder of the encrypted data, an authorization code. You can determine the rules for generating the. As such, upon receiving an access request, the access authorization server 103 may locally discover an authorization code associated with the encrypted data currently requested for access, that is, an authorization code associated with the holder's file identifier and user identifier. If the authorization code carried in the access request is the same as the authorization code found locally, then the authorization code carried in the access request is indicated to be valid. In addition, it can be verified whether the authorization code has expired (eg, whether an expiration time has been reached or whether the authorization code is within a valid date) and / or the address of the encrypted data currently requested for access corresponds to the authorization code. Can be verified whether it belongs to an access allowed data address. For example, in a blockchain scenario, it may be verified whether the block height of the data for which the current view is requested is a block height that can be accessed corresponding to the authorization code. As another example, in a photo sharing scenario, it may be verified whether the album folder for which the current view is requested is a folder that can be accessed in correspondence with an authorization code. If the verification is successful, the authorization code may be determined to be valid. In some embodiments of the blockchain scenario, the access request sent by the second client 102 may carry a file identifier of the data to be shown. The access grant server 103 may determine the block height at which the data is located according to the file identifier, and thus may verify whether the block height of the determined data is a block height that can be accessed corresponding to the grant code. In some other embodiments, the access request sent by the second client 102 may directly carry a block height of data, and the access grant server 103 may indicate that the block height carried in the access request corresponds to an authorization code. It is possible to verify whether or not the block height is accessible.

If the authorization code is determined to be valid, the obtained first portion of the key associated with the holder's file identifier and the user identifier may be combined with the second portion of the key carried in the access request to form a complete key. This combination method may simply be connecting two parts.

In some embodiments, in step 204, when the first client 101 receives the authorization code, an access token of encrypted data may be further generated, which may include the authorization code and a second portion of the key, The access token can be associated with a file identifier. In step 205, sending the second portion of the authorization code and key to the second client 102 may remove the access token associated with the file identifier to allow the second client 102 to add the access token to the access request. And transmitting to the second client 102.

Specifically, the first client 101 maintains one or more access tokens. Each data uploaded by the first client 101 may correspond to an access token. In other words, each file identifier may be associated with an access token. As such, when the second client 102 requests data access approval from the first client 101, if the first client 101 agrees to grant the approval, the first client 101 responds to the corresponding access. The token can be determined and an access token can be issued to the second client 102. The second client 102 can request access authorization for specific data, or data set or all data meeting certain conditions. The first client 101 can send the corresponding one or more access tokens to the second client 102.

In some embodiments, after step 204, the method may further cause the first client 101 to send a cancellation request for the authorization code to the access authorization server 103 so that the access authorization server 103 can invalidate the authorization code. The method may further include transmitting. At the same time, the first client 101 can also invalidate the local authorization code. The cancellation request for the authorization code may carry a corresponding file identifier. The access authorization server 103 can determine the corresponding authorization code according to the file identifier, thereby invalidating the authorization code. For example, the status of the authorization code can be set to an invalid state or the authorization code can be cleared. The access authorization server 103 may return a response to the first client 101 after invalidating the authorization code. The first client 101 can complete the entire process of revoking the authorization code by invalidating the local authorization code when receiving the response.

In this manner, the first client 101 may not only enable the access authorization server 103 to generate an authorization code for the uploaded data, but may also request the access authorization server 103 to revoke the authorization code. After the authorization code is revoked, if the second client 102 uses an authorization code or an access token that includes the authorization code when requesting data access, the authorization code may be verified as invalid. Thus, the access request may be denied, and the second client 102 may not have access to the data, or may obtain only encrypted data, but may not obtain decrypted plain text data. Thus, a dynamic authentication scheme for data access can be formed. Users sharing data can revoke the corresponding authorization code as needed, so that users who can access the data by obtaining the original authorization code can no longer access the data.

In some embodiments, after the authorization code for the encrypted data is revoked, the first client 101 may generate a new authorization code for the encrypted data so that the access authorization server 103 may generate a new authorization code for the encrypted data. The authorization code generation request is further sent to the access authorization server 103, and the first client 101 may then receive a new authorization code corresponding to the encrypted data from the access authorization server 103. As such, the user can revoke the authorization code at any time so that the previously authenticated user cannot access the plain text of the encrypted data, as well as generate a new authorization code to re-authorize the user to access the plain text of the encrypted data. Can be implemented to provide flexible data access authorization.

In some embodiments, after obtaining the authorization code, the first client 101 can further request the access authorization server 103 to update the authorization code. Here, the authorization code obtained by the first client 101 has not yet been deleted or used. The first client 101 accesses the authorization code update request for the encrypted data so that the access authorization server 103 can generate a new authorization code corresponding to the encrypted data and replace the old authorization code with the new authorization code. May transmit to the server 103. The first client 101 then receives a new authorization code from the access authorization server 103 and replaces the old authorization code with the new authorization code. Through this authorization code update process, the first client 101 can revoke the previous authorization code such that the previously authenticated user cannot access the plain text of the encrypted data. In addition, the first client 101 may obtain a new user approval code to approve the additional user or to approve the same user again.

In some embodiments, the foregoing authorization code cancellation request, authorization code generation request, and authorization code update request can coexist, and the user cancels the authorization code, generates a new authorization code, or updates the authorization code as needed. Can be implemented to implement enhanced dynamic authorization resolution.

According to an embodiment, a data sharing method is provided that can be performed by the access authorization server 103. This method may include the following steps.

At step 301, the method may include receiving a first portion of the first key from the first client 101, the first key corresponding to the encrypted data uploaded to the block of the information sharing system 104. The encrypted data is obtained by encrypting the plain text data according to the first key, and the information sharing system is a blockchain system.

At step 302, the method may include generating a first authorization code corresponding to the encrypted data.

In step 303, the method further includes accessing the encrypted data so that the second client 102 can add a first grant code and a second portion of the first key to the access request when accessing the encrypted data. 2 In the case of approving the client 102, a second acknowledgment to the first client 101 so that the first client 101 can transmit the first grant code and the second portion of the first key to the second client 102. And transmitting the code, wherein the second portion of the first key includes the remaining portion of the first key except the first portion.

In step 304, the method includes performing the following steps in response to receiving an access request from any of the clients, which may be the authorized second client 102 described above or another unapproved client for encrypted data. It may include.

At step 305, the method may include obtaining a second grant code and an incomplete key from the access request.

In step 306, the method generates a second key according to the incomplete key corresponding to the encrypted data and the first portion of the first key if the second authorization code is the same as the first authorization code and valid with the second authorization code. And the generated second key is the same as the first key if the incomplete key is equal to the second portion of the first key.

In step 307, the method may include obtaining encrypted data from the block of the information sharing system 104 and decrypting the encrypted data according to the second key, wherein the plain text data is obtained through decryption and the second If the key is the same as the first key it is sent to the client sending the access request.

By using the method provided in the above embodiment, the first client 101 can hold a key and an authorization code, and the access authorization server 103 can hold a first portion of the authorization code and key. If approved, the second client 102 can hold the second portion of the key and the authorization code. As such, when another client (which may be an authorized second client 102 or another client) requests access to the corresponding data through the access authorization server 103, the access authorization server 103 first receives an authorization code. Can verify whether is valid. Then, if the authorization code is valid, a complete key can be obtained using an incomplete key (first and second portions of the key) obtained from the first client 101 and the other client, respectively. If the incomplete key provided by the other client is not valid, the correct completion key cannot be obtained and the encrypted data cannot be successfully decrypted, thereby ensuring data security. In this solution, the authorized second client 102 and the access authorization server 103 each hold a portion of the key, none of which has the right to access the encrypted data. The complete key can be obtained only when the key information held by the authorized second client 102 and the access authorization server 103 is combined, thereby effectively ensuring data security and data privacy. In this manner, if the user does not want to disclose the encrypted data to the encrypted data stored in the information sharing system 104, the first client 101 may access some second clients 102 through the access authorization server 103. ) Can be authorized to access plain text of encrypted data, thereby achieving a balance between information sharing and privacy protection, and providing a better information sharing mechanism.

In some embodiments, in step 305, obtaining a second grant code and an incomplete key from the access request may include obtaining an access token of encrypted data from the access request, and a second grant code and an incomplete key from the access token. It may further comprise the step of obtaining.

In some embodiments, in step 301, upon receiving the first portion of the key from the first client, the access authorization server 103 may further receive the file identifier and user identifier of the holder of the encrypted data. In step 302, generating a first authorization code corresponding to the encrypted data generates an authorization code according to a rule corresponding to the holder's user identifier, and assigns the authorization code to the first portion of the key, the file identifier and the owner's user. Associating with the identifier, and in response to receiving the access request, obtaining a first portion of the associated authorization code and key according to the holder's file identifier and the user identifier carried in the access request.

In some embodiments, the block may correspond to the block height. In step 302, the generated first grant code may correspond to a block height and / or expiration time that is granted access. In step 306, a block height and / or expiration time may be obtained for which access corresponding to the second grant code is allowed if the second grant code is the same as the first grant code. If the block height of the encrypted data corresponding to the access request matches the block height allowed for access in response to the second grant code and / or if the expiration time of the second grant code has not yet reached the second grant code is May be determined to be valid.

In some embodiments, the method may further include invalidating the authorization code in response to a cancellation request from the first client 101 for the authorization code. The access authorization server 103 may return a response to the first client 101 after invalidating the authorization code. Upon receiving the response, the first client 101 can complete the entire process of revoking the authorization code by invalidating the local authorization code. Thus, the user can revoke the approval code for some data as needed, thereby canceling data sharing with some users. For example, the second client 102 can obtain an authorization code for the data in advance, and when the authorization code expires, the second client 102 requests to access the data again using the authorization code. The authorization code may be verified as invalid. Thus, the second client 102 cannot access the data.

In some embodiments, the method includes generating a new authorization code corresponding to the encrypted data in response to the authorization code generation request from the client 101 for the encrypted data; And transmitting a new authorization code corresponding to the encrypted data to the first client 101. In this way, after revoking the authorization code for the data, the user may further request a new authorization code to re-authorize some users to access the data, thereby providing flexible data access authorization.

In some embodiments, the method generates a new authorization code corresponding to the encrypted data in response to the authorization code update request from the first client 101 for the encrypted data, and replaces the previous first authorization code with the new authorization code. Replacing with authentication, and transmitting a new authorization code corresponding to the encrypted data to the first client 101 so that the first client 101 can replace the previous authorization code with the new authorization code. It may further include.

4 illustrates a message interaction process according to an embodiment. As shown in FIG. 4, the process involves at least four entities, namely a first client 101, a second client 102, an access authorization server 103 and an information sharing system 104, the next processing step. It may include.

In step 401, the first client 101 may hold an encryption key and encrypt data to be uploaded to the information sharing system 104 to obtain encrypted data.

The first client 101 can upload the encrypted data to the information sharing system 104. During the upload of encrypted data, a user identifier of the holder of the encrypted data and a file identifier associated with the encrypted data may be further sent to the information sharing system 104. For example, the first client 101 can send a data upload request to the information sharing system 104, where the request carries the holder's user identifier, file identifier and encrypted data. The holder's user identifier may be an identifier of the current logged-in user of the first client 101, for example a QQ number, a cloud disk account or an account of the blockchain system. The file identifier can be used to identify the encrypted data.

The information sharing system 104 stores the encrypted data uploaded by the first client 101, stores the encrypted data in a directory corresponding to the holder's user identifier, and uses the file identifier to identify the encrypted data. Encrypted data may be associated with the holder's user identifier and file identifier.

In the scenario shown in FIG. 5, the first client 101 is a network disk client and the information sharing system 104 may be referred to as a network disk server in the cloud or as a cloud disk server. Users can upload files such as photos and videos using a network disk client. For example, a user can click control 501 to upload a picture and click control 502 to upload a video. If the user wants to ensure the privacy of uploaded photos and videos, the network disk client can be configured to encrypt the data. In this way, the network disk client can perform an encryption process in step 401.

In step 402, the first client 101 may upload the first half of the key used for encryption in step 401 (which may be referred to as the first half of the key) to the access authorization server 103, and associated with the encrypted data. The holder's user identifier may be further sent to the access authorization server. For example, the first client 101 can send a key upload request to the access authorization server 103, where the request carries the user identifier of the holder of the encrypted data and the first half of the key.

The access authorization server 103 generates an authorization code according to a rule corresponding to the holder's user identifier, associates the authorization code with the first half of the key and the holder's user identifier, and returns the authorization code to the first client 101. Can be.

In step 403, the first client 101 combines the second half of the key (which may be referred to as the second half of the key) and the received authorization code to form a data view token, in step 401, and generates a data view token. It can be associated with a file identifier of encrypted data.

Upon authorizing the second client 102 to view the plain text data of the encrypted data, the first client 101 can provide the data viewing token to the second client 102. For example, the second client 102 can request a view approval for the data from the first client 101 and send an approval request to carry the target file information to the first client 101. The first client 101 may determine a file identifier set corresponding to the data set that the second client 102 wants to see according to the target file information. The target file information may include a file identifier or may be an identifier of a folder, a directory address, or the like. The first client 101 can determine a corresponding file identifier set and further determine an associated data view token according to the file identifier set. Here, one set of file identifiers (which may include one or more file identifiers) may be associated with one data view token, which causes the first client 101 to deploy the file set to the second client 102. To approve the view. One set of file identifiers may also be associated with multiple data view tokens, where different file identifiers may be associated with different data view tokens, where the first client 101 sends each file to the second client 102. Indicates that each data view token corresponding to can be provided.

In step 404, the second client 102 may hold the data view token and then send a view request to the access authorization server 103, where the request may send the user identifier, file identifier and data view token of the holder of the encrypted data. To carry.

In the scenario shown in FIG. 6, the second client 102 may be a browser for visiting a blockchain page. The information sharing system 104 may be a blockchain system. The user can visit the blockchain page to see other information. Some information can be set private, and the user can only see the plain text if the user has a data view token. For example, a user may click on control 601 and then step 404 may be performed to send a view request. If the data view token carried in the view request includes the correct valid authorization code and the second half of the correct key, the browser may display a second page of plain text data corresponding to the "details" option.

In step 405, the access authorization server 103 may extract the data view token, the holder's user identifier and the file identifier from the received view request, extract the authorization code from the data view token, and determine whether the authorization code is valid. have. Here, the operation of determining whether the authorization code is valid by the access authorization server 103 includes two aspects. In a first aspect, it is determined whether the authorization code extracted from the data view token is the same as the locally stored authorization code associated with the holder's user identifier, and the authorization code extracted from the data view token is the same as the locally found authorization code. If so, the authorization code carried in the data view token is indicated to be valid. In a second aspect, if the two authorization codes are determined to be the same, it is further verified whether the authorization code has expired, for example whether the expiration time of the authorization code has been reached or whether the authorization code is still within the validity date and And / or whether the address of the encrypted data currently requested for access belongs to an access allowed data address corresponding to the authorization code.

If the authorization code is determined to be valid, the access authorization server 103 obtains the first half of the key associated with the authorization code, extracts the second half of the key from the data viewing token, and the first half of the key and the second half of the key to form a complete key. To combine.

The access authorization server 103 may further send a query request to the information sharing system 104, where the information sharing server 104 finds the associated encrypted data according to the holder's identifier and the file identifier, The request carries the holder's user identifier and file identifier to be able to return the encrypted data to 103.

In step 406, the access authorization server 103 may decrypt the encrypted data using the complete key obtained in step 405. If the latter half of the key extracted from the data viewing token is correct, then at 405 the correct complete key can be obtained. At this stage, the decoded data (ie, plain text data) can be successfully obtained through decryption, and the decoded data can be sent to the second client 102. If the latter half of the key extracted from the data viewing token is incorrect, the key obtained in step 405 is incorrect, and decryption cannot be performed. In this case, an error may be reported to the second client 102 or encrypted data may be returned directly to the second client 102. That is, since the second client 102 cannot see the plain text data successfully, the second client 102 can guarantee the security of the data uploaded by the first client 101.

If any of the above steps fail, the process can be terminated directly.

Based on the method described above, embodiments of the present disclosure further provide at least one client (which may be the first client 101) that may implement the method described above. As shown in FIG. 7, the first client 700 includes the following modules, that is,

An encryption module 701, configured to encrypt the plain text data according to the key to obtain encrypted data;

An uploading module 702 configured to upload the encrypted data to a block of the information sharing system 104 and upload the first portion of the key to the access authorization server 103 corresponding to the information sharing system 104—the information sharing system. Is a blockchain system; And

Receive an authorization code corresponding to the encrypted data from the access authorization server 103 and send the second portion of the authorization code and key to the second client 102 when the user is authorized to access the encrypted data. Authorization module 703-if the second portion of the key includes the remaining portion of the key except the first portion and sends an access request for encrypted data to the access authorization server, the second client 102 receives the authorization code. And by adding a second portion of the key to the access request, wherein the access authorization server 103 generates a key according to the first portion and the second portion of the key and obtains plain text data when the authorization code determines that the authorization code is valid. To decrypt the encrypted data obtained from the block of the information sharing system 104 according to the generated key and transmit the encrypted data to the second client 102. Can ―

It may include.

In some embodiments, authorization module 703 generates an access token of encrypted data, including the second portion of the authorization code and key, and second client 102 may add the access token to the access request. May be further configured to send the access token to the second client 102.

In some embodiments, when encrypted data is uploaded to the information sharing system 104, the uploading module 702 may enable the information sharing system 104 to associate the encrypted data with the holder's file identifier and user identifier. The file identifier of the encrypted data and the user identifier of the encrypted data holder can be further uploaded. Thus, the access authorization server 103 may obtain encrypted data from the information sharing system 104 according to the holder's file identifier and user identifier.

In some embodiments, the uploading module allows the access authorization server 103 to generate an authorization code in accordance with a rule corresponding to the holder's user identifier when the first portion of the key is uploaded to the access authorization server 103. 702 may further upload the holder's file identifier and user identifier. The access authorization server 103 associates the generated authorization code with the first portion of the key, the file identifier and the holder's user identifier, and determines, according to the obtained authorization code, whether the authorization code carried in the access request is valid. And in response to receiving the access request, in accordance with the file identifier and user identifier of the first portion carried in the access request, to generate a key in accordance with the first portion of the key and the second portion of the key carried in the access request. A first portion of the associated authorization code and key can be obtained.

In some embodiments, authorization module 703 may further generate an access token for the encrypted data, including the authorization code and the second portion of the key, and associate the access token with the file identifier. The authorization module 703 can send an access token associated with the file identifier to the second client 102, so that the second client 102 can add the access token to the access request.

In some embodiments, authorization module 703 further sends a cancellation request for the authorization code to access authorization server 103, allowing access authorization server 103 to invalidate the authorization code. The authorization module 703 may further invalidate the local authorization code.

In some embodiments, authorization module 703 further sends an authorization code generation request for encrypted data to access authorization server 103 such that access authorization server 103 corresponds to the new authorization code. To create a. The authorization module 703 may further receive a new authorization code corresponding to the encrypted data from the access authorization server 103.

In some embodiments, authorization module 703 further sends an authorization code update request for encrypted data to access authorization server 103 so that access authorization server 103 corresponds to the new authorization code. Can be generated and replaced with the new authorization code. The authorization module 703 may further receive a new authorization code from the access authorization server 103 and replace the old authorization code with a new authorization code.

Based on the method described above, embodiments of the present disclosure may further provide an access authorization server (such as the access authorization server 103 described above) that may implement the method described above. As shown in FIG. 8, server 800 includes the following modules:

Receiving a first portion of a first key from the first client 101, wherein the first key corresponds to encrypted data uploaded to a block of the information sharing system 104, the encrypted data in plain text according to the first key Obtained by encrypting the data, the information sharing system is a blockchain system, the authorization module 801 configured to generate a first authorization code corresponding to the encrypted data and to transmit the first authorization code to the first client 101 )-When the first client 101 authorizes the second client 102 to access the encrypted data, sends the first grant code and the second portion of the first key to the second client 102, When accessing encrypted data, the second client 102 adds a first grant code and a second portion of the first key to the access request, the second portion of the first key being the portion of the first key except the first portion. Contains the rest -;

In response to receiving an access request from any client (eg, second client 102) for the encrypted data, a second authorization code and an incomplete key are obtained from the access request, and the second authorization code is generated. A verification module 802, configured to trigger the key module 803 if the same as the first authorization code and the second authorization code is valid;

A key module 803 configured to generate a second key in accordance with an incomplete key corresponding to the encrypted data and a first portion of the first key, wherein the generated second key has an incomplete key equal to the second portion of the first key; Same as the first key in the case; And

A decryption module 804 configured to obtain encrypted data from a block of the information sharing system 104, and decrypt the encrypted data according to the second key, wherein the plain text data is obtained through decryption and the second key is associated with the first key. Sent to Client Sending Access Request in Same Case

It may include.

In some embodiments, the verification module 802 may obtain an access token of encrypted data from the access request, and obtain a second authorization code and an incomplete key from the access token.

In some embodiments, authorization module 801 may further receive a file identifier and a user identifier of a holder of encrypted data when receiving a first portion of a key from first client 101. The authorization module 801 may generate a first authorization code in accordance with a rule corresponding to the holder's user identifier, and associate the first authorization code with the first portion of the key, the file identifier, and the owner's user identifier. The verification module 802 may, in response to receiving the access request, obtain a first portion of the associated first authorization code and key according to the holder's file identifier and user identifier carried in the access request.

In some embodiments, the block may correspond to the block height. The first grant code generated by the grant module 801 may correspond to the block height and / or expiration time allowed for access. The verification module 802 can obtain a block height and / or an expiration time for which the access corresponding to the second grant code is allowed when the second grant code is the same as the first grant code, and encrypts the encrypted request corresponding to the access request. The second grant code may be determined to be valid if the block height of the data matches the block height allowed for access corresponding to the second grant code and / or if the expiration time of the second grant code has not yet reached.

In some embodiments, the authorization module 801 may further invalidate the first authorization code in response to a cancellation request from the first client 101 for the authorization code, whereby the first client 101 may be configured locally. The response may be returned to the first client to invalidate the first authorization code.

In some embodiments, authorization module 801 further generates a new authorization code corresponding to the encrypted data in response to the authorization code generation request from the first client 101 for the encrypted data, and encrypts the encrypted data. A new authorization code corresponding to may be transmitted to the first client 101.

In some embodiments, authorization module 801 further generates a new authorization code corresponding to the encrypted data in response to the authorization code update request from the first client 101 for the encrypted data, 1 replaces the authorization code with a new authorization, and sends a new authorization code corresponding to the encrypted data to the first client 101 so that the first client 101 can replace the previous authorization code with the new authorization code. Can be.

The principle of implementation of the functions of the above-described modules has already been described in detail above, and details are not described herein again.

In some embodiments, the client 700 and server 800 described above can be executed on various computing devices and loaded into the memory of the computing device. According to an embodiment, there is provided a computing device comprising one or more processors, a memory, and one or more programs stored in the memory and configured to be executed by the one or more processors, wherein the one or more programs may be any of the foregoing method embodiments. Contains instructions for performing

9 is a structural diagram of a configuration of a computing device in which a client 700 or server 800 is located. As shown in FIG. 9, the computing device includes a communication bus 908 configured to interconnect one or more processors (CPUs) 902, communication modules 904, memory 906, user interface 910, and components. It may include.

The processor 902 may receive and transmit data via the communication module 904 to implement network communication and / or local communication.

User interface 910 may include one or more output devices that include one or more speakers and / or one or more visual displays. The user interface may also include one or more input devices 914 including, for example, a keyboard, mouse, voice command input unit or loudspeaker, touch display, touch sensitive input tablet, gesture capture camera or other input button or control. have.

Memory 906 may be fast random access memory such as DRAM, SRAM, DDR RAM or other random access solid state storage. Memory 906 may also include non-volatile memory, such as one or more magnetic disk storage devices, optical disk storage devices, flash memory devices, or other non-volatile solid state storage devices.

The memory 906 may store a set of instructions that may be executed by the processor 902,

An operating system 916 including programs for processing various basic system services and for performing hardware related tasks; And

Applications that may include various application programs capable of implementing the processing procedures in the foregoing embodiments, and may include, for example, the client 700 shown in FIG. 7 and / or the server 800 shown in FIG. 918). In some embodiments, client 700 may include some or all of modules 701-703 shown in FIG. 7, and modules 701-703 may store machine executable instructions. The processor 902 may implement the functions of the above-described modules 701 to 703 by executing the machine executable instructions of the modules 701 to 703 stored in the memory 906. In some embodiments, server 800 may include some or all of modules 801-804 shown in FIG. 8, and modules 801-804 may store machine executable instructions. The processor 902 may implement the functionality of the modules 801-804 described above by executing machine executable instructions in the modules 801-804 stored in the memory 906.

By using the client, server and computing device provided in the above embodiments, the first client 101 holds a key and an authorization code, and the access authorization server 103 holds an authorization code and a first portion of the key, If approved, the second client 102 can hold the second portion of the key and the authorization code. In this case, when the second client 102 requests access to the corresponding data via the access authorization server 103, the access authorization server 103 first verifies whether the authorization code is valid, and the authorization code is If valid, an incomplete key (first and second portions of the key) obtained from the first client 101 and the second client 102 can be used to obtain the complete key. If the incomplete key provided by the second client 102 is not valid, the correct complete key cannot be obtained and the encrypted data cannot be successfully decrypted. This ensures data security. In this embodiment, the second client 102 and the access authorization server 103 can each hold a portion of the key, and none of them have the right to access the encrypted data. The complete key can be obtained only when the key information held by the second client 102 and the access authorization server 103 are combined, thereby ensuring data security and user privacy.

Not all steps and modules of the above-described processes and schematics are necessary, and some steps or modules may be ignored, depending on the actual requirements. The order of execution of the steps is not fixed but can be adjusted as needed. The division of the modules is merely for convenience to explain the functional division used. During actual implementation, one module may be implemented by multiple modules, and the functions of multiple modules may also be implemented by the same module. The module may be located in the same device or may be located in another device.

The hardware module in an embodiment may be implemented by a hardware platform having hardware or software. The software may include machine readable instructions and may be stored in a nonvolatile storage medium. Thus, embodiments may also be implemented as a software product.

In embodiments, the hardware may be implemented by dedicated hardware or by hardware executing machine readable instructions. For example, the hardware may be a specially designed permanent circuit or logic device (eg, a special purpose processor such as an FPGA or ASIC) configured to complete a particular operation. The hardware may also include circuitry (such as a general purpose processor or other programmable processor) that is temporarily configured in a programmable logic device or software and configured to perform a particular task.

In addition, each of the embodiments of the present disclosure may be implemented by a data processing program executed by a data processing apparatus such as a computer. Clearly, data processing programs can be used in the present disclosure. Also, a data processing program stored on a storage medium is generally executed in the following manner: by reading the program directly from the storage medium or by installing or copying the program to a storage device (such as a hard disk or memory) of the data processing apparatus. Can be. Thus, such storage media may be used in the present disclosure. Embodiments of the present disclosure further provide a nonvolatile storage medium capable of storing a data processing program. The data processing program may be configured to execute any embodiment in the foregoing method embodiments of the present disclosure.

Machine-readable instructions corresponding to the modules in FIGS. 7 and 8 may cause an operating system operating on a computer to complete all or part of the operations described herein. The non-volatile computer readable storage medium may be inserted into a memory disposed on an expansion board of a computer or recorded in a memory disposed on an expansion unit connected to the computer. The CPU or the like installed in the expansion board or the expansion unit may perform some or all of the actual operations according to the instruction.

Non-volatile computer readable storage media include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW or DVD RW), Magnetic tape, non-volatile memory cards and ROM. In addition, the program code may be downloaded by the communication network from the server computer.

In conclusion, the scope of the claims is not limited to the implementation in the above-described embodiment, the present disclosure should be construed in the broadest sense as a whole.

Claims (15)

A data sharing method performed by a first client,
Encrypting the plain text data according to a key to obtain encrypted data;
Uploading the encrypted data to a block of an information sharing system, wherein the information sharing system is a blockchain system;
Uploading the first portion of the key to an access authorization server corresponding to the information sharing system;
Receiving an authorization code corresponding to the encrypted data from the access authorization server; And
Transmitting the authorization code and a second portion of the key to a second client of the user when the user is authorized to access the encrypted data, wherein the second portion of the key is the key except the first portion The second client adds the authorization code and the second portion of the key to the access request, and sends the access request to the access authorization server to the access authorization server. In case the authorization server determines that the authorization code is valid, the access authorization server generates the key according to the first and second portions of the key and, according to the generated key, to obtain the plain text data. Decrypt the encrypted data obtained from the block of the information sharing system, and transmit the decoded data to the second client. Returns the encrypted data;
Data sharing method comprising a. The method of claim 1,
When the encrypted data is uploaded to the block of the information sharing system, the information sharing system associates the encrypted data with a file identifier of the encrypted data and a user identifier of the holder of the encrypted data, and grants the access. The file identifier and the user identifier of the holder are further uploaded so that a server can obtain the encrypted data from the block of the information sharing system according to the file identifier and the user identifier of the holder,
How to share your data. The method of claim 2,
When the first portion of the key is uploaded to the access authorization server, the access authorization server generates the authorization code in accordance with a rule corresponding to the user identifier of the holder, and the authorization code is generated by the first portion of the key, Associate with the file identifier and the user identifier of the holder, and in response to receipt of the access request, present the associated authorization code and the key according to the file identifier carried in the access request and the user identifier of the first portion; Acquiring one portion, and determining, according to the obtained authorization code, whether the authorization code carried in the access request is valid, and extracting the first portion of the key and the second portion carried in the access request. The file identifier and the user identifier of the holder are further uploaded so that they can be generated,
How to share your data. The method of claim 1,
Sending a request for revocation of the authorization code to the access authorization server for the access authorization server to invalidate the authorization code; And
Steps to Invalidate a Local Authorization Code
Data sharing method further comprising a. The method of claim 1,
Send an authorization code update request for the encrypted data to the access authorization server so that the access authorization server generates a new authorization code corresponding to the encrypted data and replaces a previous authorization code with the new authorization code. Doing; And
Receiving the new authorization code from the access authorization server and replacing the authorization code with the new authorization code
Data sharing method further comprising a. A data sharing method performed by an access authorization server,
Receiving a first portion of a first key from a first client, wherein the first key corresponds to encrypted data uploaded to a block of an information sharing system, the encrypted data representing plaintext data according to the first key; Obtained by encryption, wherein the information sharing system is a blockchain system;
Generating a first authorization code corresponding to the encrypted data;
When the first client authorizes a second client to access the encrypted data, the first client sends the second grant code and the second portion of the first key to the second client, thereby generating the first client. 2 sending the first grant code to the first client so that the client can add the first grant code and the second portion of the first key to an access request when the client accesses the encrypted data; The second portion of the first key comprises the remaining portion of the first key except the first portion;
Including,
In response to receiving an access request from any client to the encrypted data, the data sharing method includes:
Obtaining a second grant code and an incomplete key from the access request;
Generating a second key according to the incomplete key and a first portion of the first key corresponding to the encrypted data when the second grant code is the same as the first grant code and the second grant code is valid Step, said generated second key being equal to said first key if said incomplete key is equal to a second portion of said first key;
Obtaining the encrypted data from the block of the information sharing system; And
Decrypting the encrypted data according to the second key, wherein the plaintext data is obtained through decryption and is sent to the client sending the access request if the second key is equal to the first key;
Further comprising, data sharing method The method of claim 6,
When the first portion of the key is received from the first client, a file identifier of the encrypted data and a user identifier of the holder of the encrypted data are further received,
Generating the first authorization code corresponding to the encrypted data,
Generating the first authorization code according to a rule corresponding to the holder's user identifier and associating the first authorization code with a first portion of the key, the file identifier and the holder's user identifier; And
In response to receiving the access request, obtaining the associated first authorization code and the first portion of the key according to the file identifier carried in the access request and the holder's user identifier
Further comprising, data sharing method. The method of claim 6,
The block corresponds to the block height,
The generated first authorization code corresponds to at least one of a block height and an expiration time allowed for access,
If the second grant code is the same as the first grant code, at least one of a block height and an expiration time allowed for access corresponding to the second grant code is obtained,
The block height of the encrypted data corresponding to the access request matches the block height to which access is allowed in correspondence with the second grant code and / or the expiration time of the second grant code has not yet reached Determined that the second authorization code is valid,
How to share your data. The method of claim 6,
Invalidating the first authorization code in response to a cancellation request from the client for the authorization code; And
Returning a response to the first client such that the first client can invalidate the local first authorization code.
Data sharing method further comprising a. The method of claim 6,
Generating a new authorization code corresponding to the encrypted data in response to the authorization code generation request from the first client for the encrypted data; And
Transmitting the new authorization code corresponding to the encrypted data to the first client.
Data sharing method further comprising a. The method of claim 6,
Generating a new authorization code corresponding to the encrypted data in response to an authorization code update request from the first client for the encrypted data, and replacing the first authorization code with the new authorization code; And
Sending the new authorization code corresponding to the encrypted data to the first client so that the first client can replace the first authorization code with the new authorization code.
Data sharing method further comprising a. As the first client,
An encryption module configured to encrypt the plain text data according to a key to obtain encrypted data;
An uploading module configured to upload the encrypted data to a block of an information sharing system and to upload a first portion of the key to an access authorization server corresponding to the information sharing system, wherein the information sharing system is a blockchain system;
Receive an authorization code corresponding to the encrypted data from the access authorization server,
An authorization module configured to send the authorization code and the second portion of the key to a second client when a user is authorized to access the encrypted data, wherein the second portion of the key is a portion of the key except the first portion. The second client adds the authorization code and the second portion of the key to the access request, and sends the access authorization to the access authorization server when the request for access to the encrypted data is transmitted. If the server determines that the authorization code is valid, the access authorization server generates the key in accordance with the first and second portions of the key, and obtains the plain text data to obtain the plain text data. Decrypts the encrypted data obtained from the block of the information sharing system, and transmits to the second client. Returns the encrypted data;
The first client comprising a. As an access authorization server,
Receiving a first portion of a first key from a first client, the first key corresponding to encrypted data uploaded to a block of an information sharing system, the encrypted data encrypting plain text data according to the first key And an information module, wherein the information sharing system is a blockchain system, the authorization module configured to generate a first authorization code corresponding to the encrypted data and to transmit the first authorization code to the first client. When a client authorizes a second client to access the encrypted data, the first client sends the second authorization code and the second portion of the first key to the second client, so that the second client When accessing the encrypted data, attaching the first authorization code and the second portion of the first key to an access request. In addition, the second portion of the first key comprises the remaining portion of the first key except the first portion;
In response to receiving an access request from any client for the encrypted data, obtaining a second grant code and an incomplete key from the access request, wherein the second grant code is the same as the first grant code and the first grant code A verification module, configured to trigger the key module if the authorization code is valid;
The key module configured to generate a second key according to the incomplete key and the first portion of the first key corresponding to the encrypted data, wherein the generated second key is the second key of the first key; Same as the first key if same as the portion; And
A decryption module configured to obtain the encrypted data from the block of the information sharing system, and to decrypt the encrypted data according to the second key, wherein the plain text data is obtained through decryption and the second key is the first key. Sent to the client sending the access request if equal to
Access authorization server comprising a. As a computing device,
One or more processors;
Memory; And
One or more programs stored in the memory and configured to be executed by the one or more processors, wherein the one or more programs comprise instructions for performing a method according to any one of claims 1 to 11.
Computing device comprising a. As a storage medium,
Save one or more programs that contain commands,
The instructions, when executed by a computing device, enable the computing device to perform the method according to any one of claims 1 to 11,
Storage media.

Images